aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* fix: don't make IBPB mandatory when it's not thereStéphane Lesimple2018-01-241-0/+4
| | | | | | On some kernels there could be IBRS support but not IBPB support, in that case, don't report VULN just because IBPB is not enabled when IBRS is
* fix(cosmetic): tiny msg fixesStéphane Lesimple2018-01-241-4/+5
|
* fix(cpu): trust is_cpu_vulnerable even w/ debugfsStéphane Lesimple2018-01-241-9/+6
| | | | | | For variant3 under AMD, the debugfs vulnerabilities hierarchy flags the system as Vulnerable, which is wrong. Trust our own is_cpu_vulnerable() func in that case
* fix(variant3): do our checks even if sysfs is hereStéphane Lesimple2018-01-241-1/+2
|
* fix(retpoline): retpoline-compiler detectionStéphane Lesimple2018-01-241-5/+5
| | | | | | | | | When kernel is not compiled with retpoline option, doesn't have the sysfs vulnerability hierarchy and our heuristic to detect a retpoline-aware compiler didn't match, change result for retpoline-aware compiler detection from UNKNOWN to NO. When CONFIG_RETPOLINE is not set, a retpoline-aware compiler won't produce different asm than a standard one anyway.
* feat(retpoline): check if retpoline is enabledStéphane Lesimple2018-01-241-0/+14
| | | | | | Before we would just check if retpoline was compiled in, now we also check that it's enabled at runtime (only in live mode)
* feat(sysfs): print details even with sysfsStéphane Lesimple2018-01-241-18/+53
| | | | | | | | | | Before, when the /sys kernel vulnerability interface was available, we would bypass all our tests and just print the output of the vulnerability interface. Now, we still rely on it when available, but we run our checks anyway, except for variant 1 where the current method of mitigation detection doesn't add much value to the bare /sys check
* feat(ibpb): now also check for IBPB on variant 2Stéphane Lesimple2018-01-241-41/+124
| | | | | | | | | | In addition to IBRS (and microcode support), IBPB must be used to mitigate variant 2, if retpoline support is not available. The vulnerability status of a system will be defined as "non vulnerable" if IBRS and IBPB are both enabled, or if IBPB is enabled with a value of 2 for RedHat kernels, see https://access.redhat.com/articles/3311301
* fix(offline): report unknown when too few infoStéphane Lesimple2018-01-231-3/+15
| | | | | | | | In offline mode, in the worst case where an invalid config file is given, and we have no vmlinux image nor System.map, the script was reporting Variant 2 and Variant 3 as vulnerable in the global status. Replace this by a proper pair of UNKNOWNs
* feat: detect invalid kconfig filesStéphane Lesimple2018-01-231-3/+11
|
* fix(dmesg): detect when dmesg is truncatedStéphane Lesimple2018-01-211-20/+34
| | | | | | | | | | | To avoid false negatives when looking for a message in dmesg, we were previously also grepping in known on-disk archives of dmesg (dmesg.log, kern.log). This in turn caused false positives because we have no guarantee that we're grepping the dmesg of the current running kernel. Hence we now only look in the live `dmesg`, detect if it has been truncated, and report it to the user.
* fix(cpu): Pentium Exxxx series are not vulnerableStéphane Lesimple2018-01-211-1/+6
| | | | | | Pentium E series are not in the vulnerable list from Intel, and Spectre2 PoC reportedly doesn't work on an E5200
* fix(display): use text-mode compatible colorsStéphane Lesimple2018-01-211-4/+4
| | | | | | | in text-mode 80-cols TERM=linux terminals, colors were not displaying properly, one had to use --no-color to be able to read some parts of the text.
* bump to v0.32Stéphane Lesimple2018-01-201-1/+1
|
* revert to a simpler check_vmlinux()Stéphane Lesimple2018-01-201-11/+1
|
* cache is_cpu_vulnerable result for performanceStéphane Lesimple2018-01-201-6/+18
|
* is_cpu_vulnerable: implement check for multi-arm systemsStéphane Lesimple2018-01-201-33/+64
|
* check_vmlinux: when readelf doesn't work, try harder with another wayStéphane Lesimple2018-01-201-2/+12
|
* be smarter to find a usable echo commandStéphane Lesimple2018-01-201-3/+17
|
* add pine64 vmlinuz locationStéphane Lesimple2018-01-201-0/+7
|
* arm: cosmetic fix for name and handle aarch64Stéphane Lesimple2018-01-201-2/+4
|
* ARM: display a friendly name instead of empty stringStéphane Lesimple2018-01-201-1/+6
|
* search in /lib/modules/$(uname -r) for vmlinuz, config, System.mapHarald Hoyer2018-01-201-0/+5
| | | | On Fedora machines /lib/modules/$(uname -r) has all the files.
* Atom N270: implement another variationStéphane Lesimple2018-01-191-1/+2
|
* CoreOS: remove ephemeral install of a non-used packageStéphane Lesimple2018-01-181-1/+1
|
* add kern.log as another backend of dmesg outputStéphane Lesimple2018-01-171-0/+7
|
* fix(atom): don't use a pcre regex, only an extended oneStéphane Lesimple2018-01-171-1/+1
|
* fix(atom): properly detect Nxxx Atom seriesStéphane Lesimple2018-01-171-1/+3
|
* Add Support for Slackware.Willy Sudiarto Raharjo2018-01-161-0/+1
| | | | Signed-off-by: Willy Sudiarto Raharjo <willysr@gmail.com>
* Implement CoreOS compatibility mode (#84)Stéphane Lesimple2018-01-161-26/+95
| | | | | | | * Add special CoreOS compatibility mode * CoreOS: refuse --coreos if we're not under CoreOS * CoreOS: warn if launched without --coreos option * is_coreos: make stderr silent * CoreOS: tiny adjustments
* bump to v0.31 to reflect changesStéphane Lesimple2018-01-141-1/+1
|
* meltdown: detecting Xen PV, reporting as not vulnerableStéphane Lesimple2018-01-141-1/+22
|
* is_cpu_vulnerable: add check for old AtomsStéphane Lesimple2018-01-141-1/+10
|
* verbose: add PCID check for performance impact of PTIStéphane Lesimple2018-01-141-2/+24
|
* Merge pull request #80 from speed47/cpuid_spec_ctrlStéphane Lesimple2018-01-141-3/+64
|\ | | | | v0.30, cpuid spec ctrl and other enhancements
| * bump to v0.30 to reflect changesStéphane Lesimple2018-01-141-1/+1
| |
| * ibrs: check for spec_ctrl_ibrs in cpuinfoStéphane Lesimple2018-01-141-3/+19
| |
| * also check for spec_ctrl flag in cpuinfoStéphane Lesimple2018-01-141-7/+15
| |
| * also check for cpuinfo flagStéphane Lesimple2018-01-141-8/+8
| |
| * check spec_ctrl support using cpuidStéphane Lesimple2018-01-141-3/+40
| |
* | Merge pull request #79 from andir/add-nixosStéphane Lesimple2018-01-141-0/+1
|\ \ | |/ |/| add support for NixOS kernel
| * add support for NixOS kernelAndreas Rammhold2018-01-141-0/+1
|/ | | | this removes the need to specify the kernel version manually on NixOS
* fix: proper detail msg in vuln statusStéphane Lesimple2018-01-141-1/+3
|
* Merge pull request #77 from speed47/exitcodeStéphane Lesimple2018-01-141-47/+50
|\ | | | | proper return codes regardless of the batch mode
| * proper return codes regardless of the batch modeStéphane Lesimple2018-01-141-47/+50
|/
* add info about accuracy when missing kernel filesStéphane Lesimple2018-01-131-0/+8
|
* AMD now vuln to variant2 (as per their stmt)Stéphane Lesimple2018-01-131-2/+5
|
* minor is_cpu_vulnerable() changes (#71)Corey Hickey2018-01-131-10/+7
| | | | | | | | | | | | | | | | | | | | * correct is_cpu_vulnerable() comment As far as I can tell, the function and usage are correct for the comment to be inverted. Add a clarifying note as to why the value choice makes sense. * exit on invalid varient If this happens, it's a bug in the script. None of the calling code checks for status 255, so don't let a scripting bug cause a false negative. * no need to set vulnerable CPUs According to comment above this code: 'by default, everything is vulnerable, we work in a "whitelist" logic here.'
* Only show the name of the script, not the full path (#72)Sylvestre Ledru2018-01-131-2/+2
|
* fix some typos (#73)Sylvestre Ledru2018-01-131-2/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 09:57:02 +0000